FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-09-2010, 10:06 AM
Laurent Rineau
 
Default Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*

Hi,

(My second post in this list in two years of lurking.)

My machines run F-13.

My selinux packages are:
selinux-policy-3.7.19-23.fc13.noarch
selinux-policy-targeted-3.7.19-23.fc13.noarch


I want to trigger the services aiccu and radvd from NetworkManager, to get a Sixxs IPv6 tunnel and announce a Sixxs IPv6 subnet on the
LAN. For that, I have created this file:

$ cat /etc/NetworkManager/dispatcher.d/20-aiccu
#!/bin/sh

if [ "$2" = "up" ] ; then
/sbin/service aiccu start && /sbin/service radvd start || :
fi

if [ "$2" = "down" ] ; then
/sbin/service radvd stop || :
/sbin/service aiccu stop || :
fi


It works in permissive mode but, I had to create the following local.te module using audit2allow in order to get that work in enforcing
mode:

================================================== ================
module local 1.1;

require {
type insmod_exec_t;
type modules_conf_t;
type urandom_device_t;
type syslogd_t;
type ifconfig_exec_t;
type sysfs_t;
type port_t;
type modules_dep_t;
type shell_exec_t;
type bin_t;
type devlog_t;
type proc_t;
type random_device_t;
type console_device_t;
type modules_object_t;
type aiccu_t;
class tun_socket create;
class chr_file { read open };
class capability { net_admin sys_module sys_tty_config };
class tcp_socket { write name_connect connect shutdown read create };
class file { execute read execute_no_trans getattr open };
class sock_file write;
class netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
class lnk_file read;
class unix_dgram_socket { write create connect sendto };
class udp_socket { write read create connect };
class dir read;
}

#============= aiccu_t ==============
allow aiccu_t bin_t:lnk_file read;
allow aiccu_t devlog_t:sock_file write;
allow aiccu_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
allow aiccu_t insmod_exec_t:file { read getattr open execute execute_no_trans };
allow aiccu_t modules_conf_t:dir read;
allow aiccu_t modules_conf_t:file { read getattr open };
allow aiccu_t modules_dep_t:file { read getattr open };
allow aiccu_t modules_object_t:file { read open };
allow aiccu_t port_t:tcp_socket name_connect;
allow aiccu_t proc_t:file { read getattr open };
allow aiccu_t random_device_t:chr_file read;
allow aiccu_t self:capability net_admin;
allow aiccu_t self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
allow aiccu_t self:tcp_socket { read write create connect shutdown };
allow aiccu_t self:tun_socket create;
allow aiccu_t self:udp_socket { write read create connect };
allow aiccu_t self:unix_dgram_socket { write create connect };
allow aiccu_t shell_exec_t:file { read execute open getattr execute_no_trans };
allow aiccu_t sysfs_t:file { read getattr open };
allow aiccu_t syslogd_t:unix_dgram_socket sendto;
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow aiccu_t urandom_device_t:chr_file { read open };

allow aiccu_t console_device_t:chr_file open;
allow aiccu_t modules_object_t:file getattr;
allow aiccu_t self:capability { sys_module sys_tty_config };

================================================== ================

The AVC audit log is attached (compressed with bzip2). To get it, I used this sort of command:
cnetworkmanager -o off; DATE=`date '+%H:%M'`; cnetworkmanager -o on; sleep 10; sudo sh -c "/sbin/ausearch -ts $DATE -m avc | tee
/root/audit.log"

This shell one-liner disables the network, stores the current time in $DATE, then enables the network, and uses ausearch (after a sleep
of 10 seconds) to get AVCs starting from the time $DATE.

I do not understand the AVC. Both aiccu and radvd have their own modules. I am not really used to selinux context transitions. I wonder
if it is possible that the AVCs are because radvd is running in the selinux context aiccu_t.

--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-09-2010, 03:58 PM
Dominick Grift
 
Default Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*

On Wed, Jun 09, 2010 at 12:06:35PM +0200, Laurent Rineau wrote:
> Hi,

I seems thar aicco policy is incomplete. I do not see any radvd avc denials so i am assuming that this works.

As for the audit2allow output. I guess we need to extend the aiccu modules. looking at the source policy module, it indeed looks incomplete.

As for how to go about writing a proper patch:

First we need to add policy for domain transitions where possible as this may change behavious and thus other avc denials.

So where/what to transition? Well transitions happen on execution of an "entry file". In the rules below the executions are:

> allow aiccu_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
> allow aiccu_t insmod_exec_t:file { read getattr open execute execute_no_trans };
> allow aiccu_t shell_exec_t:file { read execute open getattr execute_no_trans };


So first thing we should do is write a module that makes sure the transitions go well:

create a working directory:

mkdir ~/mywork; cd mywork;

lets create a policy patch:

echo "policy_module(myaiccu, 1.0.0)" > myaiccu.te;
echo "require { type aiccu_t; }" >> myaiccu.te;
echo "sysnet_domtrans_ifconfig(aiccu_t)" >> myaiccu.te;
echo "modutils_domtrans_insmod_uncond(aiccu_t) >> myaiccu.te;
echo "corecmd_exec_shell(aiccu_t)" >> myaiccu.te;

see if it build:

make -f /usr/share/selinux/devel/Makefile myaiccu.pp

Install it:

sudo semodule -i myaiccu.pp

Now reproduce the issue. Do exactly as you did be fore and please paste again the list with audit2allow rules.

In short: the aiccu policy is incomplete you can help us finish it by testing and providing feedback. Once we have it working we can share our result by submitting it to fedora.

>
> (My second post in this list in two years of lurking.)
>
> My machines run F-13.
>
> My selinux packages are:
> selinux-policy-3.7.19-23.fc13.noarch
> selinux-policy-targeted-3.7.19-23.fc13.noarch
>
>
> I want to trigger the services aiccu and radvd from NetworkManager, to get a Sixxs IPv6 tunnel and announce a Sixxs IPv6 subnet on the
> LAN. For that, I have created this file:
>
> $ cat /etc/NetworkManager/dispatcher.d/20-aiccu
> #!/bin/sh
>
> if [ "$2" = "up" ] ; then
> /sbin/service aiccu start && /sbin/service radvd start || :
> fi
>
> if [ "$2" = "down" ] ; then
> /sbin/service radvd stop || :
> /sbin/service aiccu stop || :
> fi
>
>
> It works in permissive mode but, I had to create the following local.te module using audit2allow in order to get that work in enforcing
> mode:
>
> ================================================== ================
> module local 1.1;
>
> require {
> type insmod_exec_t;
> type modules_conf_t;
> type urandom_device_t;
> type syslogd_t;
> type ifconfig_exec_t;
> type sysfs_t;
> type port_t;
> type modules_dep_t;
> type shell_exec_t;
> type bin_t;
> type devlog_t;
> type proc_t;
> type random_device_t;
> type console_device_t;
> type modules_object_t;
> type aiccu_t;
> class tun_socket create;
> class chr_file { read open };
> class capability { net_admin sys_module sys_tty_config };
> class tcp_socket { write name_connect connect shutdown read create };
> class file { execute read execute_no_trans getattr open };
> class sock_file write;
> class netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
> class lnk_file read;
> class unix_dgram_socket { write create connect sendto };
> class udp_socket { write read create connect };
> class dir read;
> }
>
> #============= aiccu_t ==============
> allow aiccu_t bin_t:lnk_file read;
> allow aiccu_t devlog_t:sock_file write;
> allow aiccu_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
> allow aiccu_t insmod_exec_t:file { read getattr open execute execute_no_trans };
> allow aiccu_t modules_conf_t:dir read;
> allow aiccu_t modules_conf_t:file { read getattr open };
> allow aiccu_t modules_dep_t:file { read getattr open };
> allow aiccu_t modules_object_t:file { read open };
> allow aiccu_t port_t:tcp_socket name_connect;
> allow aiccu_t proc_t:file { read getattr open };
> allow aiccu_t random_device_t:chr_file read;
> allow aiccu_t self:capability net_admin;
> allow aiccu_t self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
> allow aiccu_t self:tcp_socket { read write create connect shutdown };
> allow aiccu_t self:tun_socket create;
> allow aiccu_t self:udp_socket { write read create connect };
> allow aiccu_t self:unix_dgram_socket { write create connect };
> allow aiccu_t shell_exec_t:file { read execute open getattr execute_no_trans };
> allow aiccu_t sysfs_t:file { read getattr open };
> allow aiccu_t syslogd_t:unix_dgram_socket sendto;
> #!!!! This avc can be allowed using the boolean 'global_ssp'
>
> allow aiccu_t urandom_device_t:chr_file { read open };
>
> allow aiccu_t console_device_t:chr_file open;
> allow aiccu_t modules_object_t:file getattr;
> allow aiccu_t self:capability { sys_module sys_tty_config };
>
> ================================================== ================
>
> The AVC audit log is attached (compressed with bzip2). To get it, I used this sort of command:
> cnetworkmanager -o off; DATE=`date '+%H:%M'`; cnetworkmanager -o on; sleep 10; sudo sh -c "/sbin/ausearch -ts $DATE -m avc | tee
> /root/audit.log"
>
> This shell one-liner disables the network, stores the current time in $DATE, then enables the network, and uses ausearch (after a sleep
> of 10 seconds) to get AVCs starting from the time $DATE.
>
> I do not understand the AVC. Both aiccu and radvd have their own modules. I am not really used to selinux context transitions. I wonder
> if it is possible that the AVCs are because radvd is running in the selinux context aiccu_t.
>
> --
> Laurent Rineau
> http://fedoraproject.org/wiki/LaurentRineau


> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-10-2010, 03:23 PM
Laurent Rineau
 
Default Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*

Hi Dominick. Thanks for your answer. I have followed your recommendations (see
below).

On Wednesday 09 June 2010 17:58:58 Dominick Grift wrote:
> lets create a policy patch:
>
> echo "policy_module(myaiccu, 1.0.0)" > myaiccu.te;
> echo "require { type aiccu_t; }" >> myaiccu.te;
> echo "sysnet_domtrans_ifconfig(aiccu_t)" >> myaiccu.te;
> echo "modutils_domtrans_insmod_uncond(aiccu_t) >> myaiccu.te;
> echo "corecmd_exec_shell(aiccu_t)" >> myaiccu.te;
>
> see if it build:
>
> make -f /usr/share/selinux/devel/Makefile myaiccu.pp
>
> Install it:
>
> sudo semodule -i myaiccu.pp

I have create myaiccu.te with:

policy_module(myaiccu, 1.0.0)
require { type aiccu_t; }
sysnet_domtrans_ifconfig(aiccu_t)
modutils_domtrans_insmod_uncond(aiccu_t)
corecmd_exec_shell(aiccu_t)

and typed:
sudo setenforce 0
sudo semodule -d local
sudo semodule -i myaiccu.pp
then I have disabled and reenabled the network.

I have had three AVC (attached full log), and audit2allow know only says:

#============= aiccu_t ==============
allow aiccu_t proc_t:file { read getattr open };



I have retried with a new myaiccu.te:

policy_module(myaiccu, 1.0.1)
require { type aiccu_t;
type proc_t;
class file { read getattr open };
}
sysnet_domtrans_ifconfig(aiccu_t)
modutils_domtrans_insmod_uncond(aiccu_t)
corecmd_exec_shell(aiccu_t)
allow aiccu_t proc_t:file { read getattr open };

and:
sudo semodule -u myaiccu.pp
and then the disable/enable of the network gives no AVC.

I hope than can help you fix the aiccu module.

--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-10-2010, 05:36 PM
Dominick Grift
 
Default Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*

On Thu, Jun 10, 2010 at 05:23:01PM +0200, Laurent Rineau wrote:
> Hi Dominick. Thanks for your answer. I have followed your recommendations (see
> below).
>
> On Wednesday 09 June 2010 17:58:58 Dominick Grift wrote:
> > lets create a policy patch:
> >
> > echo "policy_module(myaiccu, 1.0.0)" > myaiccu.te;
> > echo "require { type aiccu_t; }" >> myaiccu.te;
> > echo "sysnet_domtrans_ifconfig(aiccu_t)" >> myaiccu.te;
> > echo "modutils_domtrans_insmod_uncond(aiccu_t) >> myaiccu.te;
> > echo "corecmd_exec_shell(aiccu_t)" >> myaiccu.te;
> >
> > see if it build:
> >
> > make -f /usr/share/selinux/devel/Makefile myaiccu.pp
> >
> > Install it:
> >
> > sudo semodule -i myaiccu.pp
>
> I have create myaiccu.te with:
>
> policy_module(myaiccu, 1.0.0)
> require { type aiccu_t; }
> sysnet_domtrans_ifconfig(aiccu_t)
> modutils_domtrans_insmod_uncond(aiccu_t)
> corecmd_exec_shell(aiccu_t)
>
> and typed:
> sudo setenforce 0
> sudo semodule -d local
> sudo semodule -i myaiccu.pp
> then I have disabled and reenabled the network.
>
> I have had three AVC (attached full log), and audit2allow know only says:
>
> #============= aiccu_t ==============
> allow aiccu_t proc_t:file { read getattr open };
>
>
>
> I have retried with a new myaiccu.te:
>
> policy_module(myaiccu, 1.0.1)
i> require { type aiccu_t;
> type proc_t;
> class file { read getattr open };
> }
> sysnet_domtrans_ifconfig(aiccu_t)
> modutils_domtrans_insmod_uncond(aiccu_t)
> corecmd_exec_shell(aiccu_t)
> allow aiccu_t proc_t:file { read getattr open };
>
> and:
> sudo semodule -u myaiccu.pp
> and then the disable/enable of the network gives no AVC.
>
> I hope than can help you fix the aiccu module.
Hello,

Great thanks, if you want you can report the fix to this issue yourself to fedora's bugzilla in the selinux-policy component. You would mention the following:

sysnet_domtrans_ifconfig(aiccu_t)
modutils_domtrans_insmod(aiccu_t)
corecmd_exec_shell(aiccu_t)
kernel_read_system_state(aiccu_t)

And enclose the AVC denials that you've been seeying.

Thanks in advance.



> --
> Laurent Rineau
> http://fedoraproject.org/wiki/LaurentRineau

> ----
> time->Thu Jun 10 17:12:20 2010
> type=SYSCALL msg=audit(1276182740.754:592): arch=c000003e syscall=2 success=yes exit=3 a0=3786942300 a1=0 a2=1b6 a3=2 items=0 ppid=7234 pid=7422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:aiccu_t:s0 key=(null)
> type=AVC msg=audit(1276182740.754:592): avc: denied { open } for pid=7422 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> type=AVC msg=audit(1276182740.754:592): avc: denied { read } for pid=7422 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file
> ----
> time->Thu Jun 10 17:12:20 2010
> type=SYSCALL msg=audit(1276182740.754:593): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff68dd8580 a2=7fff68dd8580 a3=2 items=0 ppid=7234 pid=7422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:aiccu_t:s0 key=(null)
> type=AVC msg=audit(1276182740.754:593): avc: denied { getattr } for pid=7422 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_ubject_rroc_t:s0 tclass=file

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org